Dependency Scanning for Java Gradle projects
Problem to solve
Make Dependency Scanning scan Java Gradle projects.
Currently GitLab Dependency Scanning is able to scan Java Maven projects but does not support Java Gradle. See Supported languages and package managers.
Maven projects are scanned by the gemnasium-maven analyzer, which relies on the Gemnasium Maven Plugin to build the list of the project dependencies. This can't work with Gradle projects because the dependencies are declared in a Gradle configuration file, not in a POM XML file.
- port the Gemnasium Maven Plugin
- build a dependency list for given Gradle project
- turn that list into a JSON document; see
- update gemnasium-maven
- change project detection and respond to Gradle file
- integrate the new Gemnasium Gradle plugin
- switch between the two plugins depending on the detected files
This would be similar to gemnasium-python which can handle multiple package managers.
It makes sense to reuse the existing gemnasium-maven because Gemnasium will detect Maven packages hosted on Maven Central.
Update dependency-scanning (update Go module
gemnasium-maven) and release a new version. This is needed so that legacy Docker-in-Docker based Dependency Scanning detects Gradle projects.
The Gemnasium Gradle plugin generates a JSON array of dependency objects.
A dependency MUST have these fields:
The array SHOULD NOT contain duplicates, though this is something we can remediate in the parser if needed.
A dependency MAY have these extra fields:
TODO: establish which fields don't apply to Gradle dependencies, if any.
To be documented in Supported languages and package managers
To be tested with a specific Gradle test project, to be added to security-products/tests
At least two test projects are needed:
- Gradle 4.0 or later
- Gradle 3.x or earlier
If https://gitlab.com/gitlab-org/gitlab-ee/issues/10658 is completed, update the CI configuration of
gemnasium-maven (possibly renamed to
gemnasium-java) to test it against:
- Gradle projects (2 versions)
- Maven projects (single POM and multi-module)
- define an output format for the Gemnasium Gradle Plugin
- port the Gemnasium Maven Plugin to Gradle
java-gradletest project and add vulnerable dependencies as well as qa expectation file
- integrate Gemnasium Gradle Plugin into gemnasium-maven, integrate test projects for QA, release a new version; see gitlab-org/security-products/analyzers/gemnasium-maven!17 (merged)
- update dependency-scanning project
- update documentation to add new dependency capability
What does success look like, and how can we measure that?
Dependency Scanning CI jobs succeeds instead of failing with the
No compatible analyzer can be found error.